From: Nicolas Costes (nicolas.costes_at_iut-laroche.univ-nantes.fr)
Date: Mon 05 Sep 2005 - 19:41:38 BST
Le vendredi 2 Septembre 2005 03:06, Herbert Poetzl a écrit :
> > I tried, it works on the host.
> good, that _is_ half the way ...
I couldn't get Atalkd to work inside a vserver, although someone on the list
or IRC seems to have succeded on Debian. Maybe this is Mandriva-related, but
Atalkd (And apfd...) run fine on the host. The tcp part (afpd) works in the
vserver, and the Appletalk part (Atalkd) not. So I tought of a capability
issue, but giving all CAPS to the guest did not solve anything...
> > Well, I tried writing CAP_NET_ADMIN and CAP_NET_RAW in the vserver's
> > bcapabilities file, and this does apparently nothing.
> check with 'grep Cap /proc/self/status'
> from inside the guest ...
> (and don't forget to restart the guest)
Well, there was nothing really interesting/understandable inside it... Well
nothing I found related to CAPS. I gonna check agin.
> > > > # cat /etc/vservers/filesrv/bcapabilities
> > > > CAP_NET_ADMIN
> > > > CAP_NET_RAW
> > > > I tried too by writing there "NET_ADMIN" and "NET_RAW", there is no
> > > > error nor success.
> > > yep, but udp, tcp and special icmp are the only
> > > ones supported 'by default' ...
> > Which means ?
> which means, other protocoly, other requirements
> (mostly capability wise)
Ok, so I set ALL capabilities on that guest, and it still doesn't work :( :
Nothing changes !
> > One has got to activate something to use another protocol ?
> yes, the cap stuff and it might be a problem
> with missing and/or too strict virtualization
> (but as I said, we can look into that)
I'd like to help, and I've got a few hosts available.
> > > > One more thing : Netatalk tries to load the appletalk kernel
> > > > module on startup, which apparently fails because being inside a
> > > > vserver. Anyway, the module is actually loaded when I start or
> > > > stop the service ! (There is no need for it in the host server,
> > > > but it appears there to. "One kernel to rule the all", huh ?)
> > > yep, that's the main idea behind linux-vserver.
> > > contrary to Xen or UML you have only one kernel
> > > running on the host, no guest kernel, no guest
> > > modules jsut pure 100% userspace there ...
> > This is good ;-) ! But what is fun, is that when /etc/init.d/atalkd
> > is run (From inside the vserver), it "fails" to load the module, but
> > actually the kernel loads it at this very moment !!!
> > Maybe the kernel detects an access to some devices and loads the
> > module from the host ?
> yes, that is possible and likely ...
> (maybe we have to 'restrict' this ...
Well, restrict, but if that prevents hosted programs to run ;-)...
Well, as I think of it, it's really a strange behaviour.
Maybe something is needed to deal with programs that need a particular module
to be loaded at run time... From inside a guest. The problem is, you use
vservers to isolate processes, but the whole (kernel|processes)? will "see" a
module that they do not need. Is it dangerous ?
> > > > But atalkd still fails to start arguing that it cannot find any
> > > > net device.
> > > maybe it needs special devices and/or capabilities
> > > don't know yet, never tried to get it working ...
> > > but we can investigate this soon, if you find some
> > > time ...
I've got some, mainly at home after work, but I have access to IRC only at
home. I can reach the IRC logs at work, which can be useful to make tests on
> > > > This means the appletalk module isn't working.
> > > not necessarily, but might be the cause, did you
> > > load it on the host?
It is loaded and the whole thing works. Gone into production yesterdays ;-)
> maybe we should move that to the irc
> channel sooner or later :)
I'm online every days after work.
-- Réfléchir, c'est nier ce que l'on croit. Emile Chartier, dit Alain, Propos sur la religion
Vserver mailing list